The FTC SilverPush Warning Letters

As I described in a recent blog post, I recently submitted a Freedom of Information Act (FOIA) request to the Federal Trade Commission (FTC) for more information on the recipients of the warning letters they sent to Android app developers found to be using the SilverPush toolkit, which tracks inaudible audio beacons embedded in TV broadcasts for cross-device behavioral analysis. Several others and I studied SilverPush last November in response to FTC’s cross-device tracking workshop, and in particular the position paper submitted by the Center for Democracy and Technology (CDT).

Following the announcement of the warning letters, I contacted Kristin Cohen of the FTC for more information, including the names of the warned parties, which she declined to provide, but acknowledged would probably be provided in response to a FOIA.

The FOIA response I received included copies of the letters themselves, which had the names of the apps and developers. SilverPush has told the FTC that no TV broadcasts aimed at US audiences contain their tracking beacons, but it is also of interest to know what sorts of apps are able to detect these beacons, in case that situation changes. Here’s a summary of the apps, along with a description of each and whether the app accesses the device’s microphone (which is needed to receive the beacon):

Developer

App

Microphone Access?

Comments

Jayson Tamayo

Civil Service Reviewer Free

Training for Philippine civil service exam

Pinoy Henyo

Word guessing game

3S Studio / Sanjay Chadha

Fight TV India

Wrestling videos, apparently aimed at Indian market

Daily Current Affairs 2015-10

?

Preparation for Indian civil service exam? (can’t find specific app, but similar app uses microphone)

Rajesh Rishi

Fingerprint Applock

Appears to be “Fingerprint Applock (Real)” by Raja Gopal based on YouTube video

Make Money Apps / Yogesh Aggarwal Cpifbi

Free Recharge Swipe

Yes

Advertising/analytics app

Imran Khan

History GK

Education app focused on Indian exams

Mobext Philippines

Krispy Kreme Philippines

Yes

Philippine e-commerce app

WebApps World

Marathi Recipes

Recipes in Marathi language (spoken in western India)

Nganghu985

mPaisa: Get Free Recharge

Yes

India-focusecd advertising/analytics app

Photo studio apps

Photo Background Changer

Yes

Photo editor

AppLock, Inc.

Secret Applock

Yes*

Hides and locks installed apps.

Applock Theme – Galaxy

Yes*

Hides and locks installed apps

Apps Da Fun

99 Photo Effects + Frames

?

All Apps Da Fun apps are no longer in Google Play

Project D

Bird Up Up!

Yes

Game for kids

Quite a few of the apps have been updated since the FTC warning letters were sent. It’s possible that the beacon capability has been removed from them, which might account for the number that do not access the microphone. Although not related to beacons, it was notable that the AppLock apps (marked Yes*) also had the capability to reroute outgoing calls, which doesn’t seem to be related to their function.

An Android app analysis service, Addons Detector, did an analysis last fall of apps using the SilverPush toolkit. Their analysis came up with some of the same apps, and some different ones. It’s not clear where the list the FTC used came from, since that was part of the FOIA that they claimed an exemption on.

Unfortunately, it isn’t possible to perform the same analysis on iOS apps, since they’re encrypted, except possibly through the use of a “jail-broken” iOS device. Few of the same apps exist for iOS, with the notable exception of Mobext’s Krispy Kreme Philippines app. It’s questionable whether the cross-device tracking toolkit would be acceptable under the Apple app review guidelines.

Hopefully these warning letters will cause these and other developers to be cautious about the use of audio beacons without informed user consent. But given that other companies are pursuing very similar technologies, in some cases with the support of startup incubators, continued vigilance is warranted to make sure that users’ personal information, such as their television viewing habits, aren’t further collected without their knowledge and consent.